What is Tokenisation & How Does It Relate to PCI DSS?

PCI Pal - Thursday June 9th, 2016

PCI DSS (Payment Card Industry Data Security Standards) are no walk in the park for organisations and contact centres to comply with. Yet these standards are absolutely critical for businesses that want to process payments with any member of the PCI SSC (Security Standards Council), including Visa, MasterCard, American Express, Discover Financial Services and JCB.

PCI compliance is also essential for businesses that appreciate how important it is to protect customer data and their own security, particularly when it comes to preserving customer trust and the brand’s reputation.

Ultimately, adhering to these standards is difficult, but it’s also a huge priority which must be handled carefully and effectively. But there are solutions which can make the whole process simpler…

Choosing a PCI Solution

If you’ve been searching for a PCI compliance solution which takes the burden away from your business, you’ll no doubt have come across reams of information, acronyms, technical terms and options.

Many of these solutions apply only to specific types of business (i.e. ecommerce merchants or small, bricks and mortar enterprises), others require varying amounts of input and co-operation with your business, making it tricky to know which route is right for you.

Introducing Tokenisation

In this quick guide we’ll be taking a closer look at one potential solution, which is becoming increasingly prevalent amongst organisations that process payments over the phone; tokenisation.

What is Tokenisation?

Tokenisation is a process which helps businesses who process telephone payments to reduce the burden of PCI DSS compliance by allowing them to store less cardholder data on their systems. When no data of this type is stored, the amount of compliance which needs to be conducted is greatly reduced.

The process replaces Primary Account Numbers (PANs) and other sensitive data (i.e. credit card numbers) with a “token” when they are shared via a telephone transaction. Each token is a randomly assigned replacement value, which ensures it cannot be reverse-engineered. As it is not an encryption or code, it also cannot be broken by hackers to give access to customer details.

The real data is then captured and securely stored in a data vault, typically operated by a PCI-approved third party service provider, removing the need for businesses to store vulnerable data which requires significant PCI protection on their systems.

What are the Benefits of Tokenisation?

When businesses process payments via telephone, customer data may be stored on their systems or it might be conveyed via keypad touch tones. Unfortunately, because contact centres and their ilk are typically part of large, sprawling and interconnected businesses, it is very difficult indeed to keep this data safe and inaccessible.

Tokenisation means that customer data never even reaches the company itself. Instead, companies store each identifying token, while a specialist third party provider takes care of processing the payment and storing the information securely.

This process doesn’t just keep customer data safe, protect the reputation of businesses and mitigate the impact of security breaches, it also relieves organisations of many of the PCI DSS compliance hoops they must jump through annually or even quarterly.

Would you like to learn more about tokenisation and how it could help your contact centre handle compliance simply and effectively? At PCI Pal we use tokenisation processes every day to support our clients, which include contact centres across the UK and beyond. For more information, expert advice and assistance, please contact our specialist consultants today.